Subscribe to access all episodes. View plans →

#91: Filtering Parameters in Phoenix

Published April 29, 2019

Phoenix 1.4

Currently when a user registers for our site they enter some information about themselves, like their name, date of birth, and secret phrase they can use in case they get locked out of their account, in additional to their email and password. If we look at the logs for when a user is created.

  Parameters: %{"registration" => %{"dob" => "01/01/1990", "email" => "", "encrypted_password" => "[FILTERED]", "secret_phrase" => "top secret", "username" => "alekx"}}

We see that by default Phoenix filters out the password. However, we still have some sensitive information like the date of birth and the secret phrase included. Phoenix makes it easy to filter out sensitive data like this, so let’s update our application to do just that.

We’ll open our config.exs and Phoenix gives us two ways to configure what parameters we filter. The first way is to select what parameters we want to filter - this allows any others not specified to still appear in our logs. To do that we’ll add config :phoenix with the :filter_parameters option and then a list of the parameters we want to include, let’s filter out the “dob” and the “secret_phrase”, and since we’re including it here we’ll need to remember to include “password” in our list if we want to continue to have it filtered.

config/config.exs...config :phoenix, :filter_parameters, ["dob", "secret_phrase", "password"]...

We’ll need to restart server since we changed the config.exs.

$ mix phx.server

Then if we create another user and look at the logs again.

  Parameters: %{ ... "registration" => %{"dob" => "[FILTERED]", "email" => "", "encrypted_password" => "[FILTERED]", "secret_phrase" => "[FILTERED]", "username" => "bill"}}

We see that the parameters we specified: dob, secret_phrase, and password are being filtered out.

Now let’s look at the other way to filter parameters. We’ll go back to our config.exs and instead of specifying what parameters we want filtered here, we can do the opposite and specify the parameters we want to show.

Let’s change our filter_parameters option and instead of a list we’ll use a two element tuple, where the first element is the atom :keep and the second is a list of the parameters we don’t want filtered in our logs. All parameters not specified here will be filtered.

config/config.exs...config :phoenix, :filter_parameters, {:keep, ["username"]}...

Then we’ll restart the server again.

$ mix phx.server

And if we create another user and go to our logs, we see only the “username” is not filtered in our params.

  Parameters: %{ ... "registration" => %{"dob" => "[FILTERED]", "email" => "[FILTERED]", "encrypted_password" => "[FILTERED]", "secret_phrase" => "[FILTERED]", "username" => "Jill"}}